ATT&CK coverage › Technique
Hijack Execution Flow: DLL T1574.001
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.
Events covered
14 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 91 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (21 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (881 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (36 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 78 rules
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading by VMware Xfer Utility
- DLL Sideloading Of ShellChromeAPI.DLL
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Fax Service DLL Search Order Hijack
- HackTool - Powerup Write Hijack DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Defender Blocked from Loading Unsigned DLL
- Microsoft Office DLL Sideload
- New DNS ServerLevelPluginDll Installed
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading
- Potential appverifUI.DLL Sideloading
- Potential AVKkid.DLL Sideloading
- Potential Azure Browser SSO Abuse
- Potential CCleanerDU.DLL Sideloading
- Potential CCleanerReactivator.DLL Sideloading
- Potential Chrome Frame Helper DLL Sideloading
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential DLL Sideloading Of DbgModel.DLL
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential DLL Sideloading Of MpSvc.DLL
- Potential DLL Sideloading Of MsCorSvc.DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via comctl32.dll
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via VMware Xfer
- Potential EACore.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential Goopdate.DLL Sideloading
- Potential Initial Access via DLL Search Order Hijacking
- Potential Iviewers.DLL Sideloading
- Potential JLI.dll Side-Loading
- Potential Libvlc.DLL Sideloading
- Potential Mfdetours.DLL Sideloading
- Potential Mpclient.DLL Sideloading
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential Python DLL SideLoading
- Potential Rcdll.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential RoboForm.DLL Sideloading
- Potential ShellDispatch.DLL Sideloading
- Potential SmadHook.DLL Sideloading
- Potential SolidPDFCreator.DLL Sideloading
- Potential System DLL Sideloading From Non System Locations
- Potential Vivaldi_elf.DLL Sideloading
- Potential Waveedit.DLL Sideloading
- Potential Wazuh Security Platform DLL Sideloading
- Potential WWlib.DLL Sideloading
- Potentially Suspicious Child Process of KeyScrambler.exe
- Registry Modification for OCI DLL Redirection
- Renamed Vmnat.exe Execution
- Suspicious GUP Usage
- Suspicious Unsigned Thor Scanner Execution
- System Control Panel Item Loaded From Uncommon Location
- Tasks Folder Evasion
- Third Party Software DLL Sideloading
- UAC Bypass With Fake DLL
- Unsigned .node File Loaded
- Unsigned Binary Loaded From Suspicious Location
- Unsigned Mfdetours.DLL Sideloading
- Unsigned Module Loaded by ClickOnce Application
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Xwizard.EXE Execution From Non-Default Location
Splunk 12 rules
- MSI Module Loaded by Non-System Binary
- Msmpeng Application DLL Side Loading
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows DLL Side-Loading In Calc
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Known Abused DLL Created
- Windows Known Abused DLL Loaded Suspiciously
- Windows Known GraphicalProton Loaded Modules
- Windows SqlWriter SQLDumper DLL Sideload
- Windows Unsigned DLL Side-Loading
- Windows Unsigned DLL Side-Loading In Same Process Path
- Windows Unsigned MS DLL Side-Loading